CVE-2025-68161

Published Dec 18, 2025

Last updated 2 months ago

CVSS medium 6.3

Overview

Description
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
Source
security@apache.org
NVD status
Modified
Products
log4j

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
4.8
Impact score
2.5
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@apache.org
CWE-297
nvd@nist.gov
CWE-295

Social media

Hype score
Not currently trending

  1. 🚨 SECURITY UPDATE: #openSUSE has released a critical patch for Apache #Log4j. Advisory SUSE-SU-2026:0254-1 addresses CVE-2025-68161, a TLS hostname verification flaw rated MODERATE (CVSS 6.3). Read more: 👉 https://t.co/nWrZ0Kyy4Z #Security https://t.co/MOH7NF5n1Q

    @Cezar_H_Linux

    23 Jan 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Apache Log4j Core の脆弱性 CVE-2025-68161 が FIX:TLS 検証の不備と中間者攻撃 https://t.co/jh8Xgxxrg8 この問題は、ログデータを外部に送信する Socket Appender という機能において、接続先の正当性を確かめる TLS

    @iototsecnews

    5 Jan 2026

    94 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender https://t.co/9ZWU6tp3r7 This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic

    @oss_security

    26 Dec 2025

    489 Impressions

    1 Retweet

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  4. The New 2025 Log4j Vulnerability (CVE-2025-68161) Allowing Silent Data Interception and Log Hijacking Read the full report on - https://t.co/vzcqZG5vdN https://t.co/qJunL6mvIN

    @cyberbivash

    20 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-68161 The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHo… https://t.co/y7dDhBK1P1

    @CVEnew

    19 Dec 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Apache Log4j2 Deserialization of Untrusted Data VulnerabilityCVE-2021-45046
  2. Apache Log4j2 Remote Code Execution VulnerabilityCVE-2021-44228

References

Sources include official advisories and independent security research.